Skip to content

RADIUS Translation – Map Directory Attributes to RADIUS Responses

The RADIUS Translation page defines rules that map LDAP directory attributes to RADIUS response attributes. When a user authenticates through an LDAP profile or Entra ID profile with RADIUS translation enabled, MideyeServer reads the specified LDAP attributes from the user's directory entry, matches them against configured patterns, and includes the corresponding RADIUS attributes in the Access-Accept response.

This feature is essential for role-based access control, VLAN assignment, and vendor-specific attribute delivery based on directory group membership.

Required Role: ROOT, SUPER_ADMIN, or ADMIN (to create, edit, or delete rules)

Navigation: Home → Directory Settings → RADIUS Translation

| Role | View | Create / Edit / Delete | |------|------|----------------------| | ROOT | ✅ | ✅ | | SUPER_ADMIN | ✅ | ✅ | | ADMIN | ✅ | ✅ | | OPERATOR | ✅ | ❌ |

| Column | Description | Visibility | |--------|-------------|------------| | LDAP Attribute | LDAP attribute name(s) to read from the directory | Default | | LDAP Value | Regex pattern to match against the attribute value | Always | | RADIUS Attribute | Target RADIUS attribute for the response | Default | | RADIUS Value | Value to set in the RADIUS response when matched | Default | | Action | Edit and Delete buttons (admin only) | Always |


| Field | Type | Required | Validation | Default | Description | |-------|------|----------|------------|---------|-------------| | LDAP Attributes | Multi-tag input | No | — | memberOf | LDAP attribute(s) to read. Multiple attributes are separated by semicolons | | LDAP Value | Text | Yes | — | (.*)VPNUsers(.*) | Regex pattern to match against the LDAP attribute value | | RADIUS Attribute Type | Select | Yes | — | Standard (RFC 2865) | Filters the attribute dropdown: Standard or Vendor-Specific | | RADIUS Attribute | Select | Yes | — | — | Target RADIUS attribute (filtered by type and vendor) | | RADIUS Value | Text | Yes | — | — | Value to include in the RADIUS response |

| Option | Description | |--------|-------------| | Standard Attribute (RFC 2865) | Standard RADIUS attributes (e.g., Filter-Id, Class, Framed-IP-Address) | | Vendor-Specific Attributes | Custom attributes from configured vendors |

  1. A user authenticates through a RADIUS client that references an LDAP or Entra ID profile.
  2. The profile must have RADIUS translation enabled (LDAP: enableLdapRadiusTranslation, Entra ID: enableRadiusTranslation).
  3. MideyeServer reads the specified LDAP attributes from the user's directory entry.
  4. Each translation rule's LDAP Value regex pattern is matched against the attribute values.
  5. For every matching rule, the configured RADIUS Attribute with the specified RADIUS Value is added to the Access-Accept response.
  6. If a rule maps to the RADIUS Class attribute with a role type value, it functions as a role translation rule.

Map Active Directory group membership to a RADIUS attribute for VLAN assignment:

  1. Click Add New.
  2. Set LDAP Attributes to memberOf.
  3. Set LDAP Value to (.*)VLAN100-Users(.*) (regex matching the group DN).
  4. Select the appropriate RADIUS attribute (e.g., Tunnel-Private-Group-ID or a vendor-specific attribute).
  5. Set RADIUS Value to 100.
  6. Save.

Map directory groups to RADIUS Class attributes for role assignment:

  1. Click Add New.
  2. Set LDAP Attributes to memberOf.
  3. Set LDAP Value to (.*)Administrators(.*).
  4. Select the Class RADIUS attribute.
  5. Set RADIUS Value to the role identifier expected by the access device.
  6. Save.
  1. First, create the vendor and attributes on the Vendor-Specific Attributes page.
  2. Click Add New on the RADIUS Translation page.
  3. Change RADIUS Attribute Type to the appropriate vendor.
  4. Select the vendor-specific attribute.
  5. Set the LDAP Value pattern and RADIUS Value.
  6. Save.

Use the multi-tag input to check multiple LDAP attributes:

  1. Add multiple attribute names (e.g., memberOf, department).
  2. The LDAP Value regex is tested against values from all specified attributes.
  3. Any match triggers the RADIUS attribute inclusion.

| Issue | Possible Cause | Resolution | |-------|---------------|------------| | RADIUS attributes not included in response | Translation not enabled on the directory profile | Enable RADIUS translation on the LDAP or Entra ID profile | | Regex not matching | Pattern does not account for full DN format | Test with broader patterns; AD group DNs include full path (e.g., CN=Group,OU=Groups,DC=...) | | Wrong vendor attributes shown | Vendor not configured | Create the vendor on the Vendor-Specific Attributes page first | | Multiple rules matching | All matching rules add attributes | This is expected behavior — all matching rules are applied |